Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1508662 - dac_override denials prevent start of 389-ds (FreeIPA)
Summary: dac_override denials prevent start of 389-ds (FreeIPA)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F28BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-11-01 22:47 UTC by Adam Williamson
Modified: 2017-11-27 22:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-27 22:36:11 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2017-11-01 22:47:42 UTC 
FreeIPA deployment on Rawhide currently fails due to SELinux dac_override denials preventing 389-ds from starting up during the deployment process. Log messages:

Oct 27 06:48:44 ipa001.domain.local systemd[1]: Starting 389 Directory Server DOMAIN-LOCAL....
Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc:  denied  { dac_override } for  pid=6012 comm="ns-slapd" capability=1  scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0
Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: Failed to open file /var/log/dirsrv/slapd-DOMAIN-LOCAL/errors. error -5966 (Access Denied.). Exiting...
Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:44.906058630 -0400] - ERR - slapd_bootstrap_config - %s: %s: %s.
Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: Cannot open errorlog file "/var/log/dirsrv/slapd-DOMAIN-LOCAL/errors", errors cannot be logged.  Exiting...
Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc:  denied  { dac_override } for  pid=6012 comm="ns-slapd" capability=1  scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0
Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc:  denied  { dac_override } for  pid=6012 comm="ns-slapd" capability=1  scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0
Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc:  denied  { dac_override } for  pid=6012 comm="ns-slapd" capability=1  scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0
Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]:  - /etc/dirsrv/slapd-DOMAIN-LOCAL/dse.ldif[27/Oct/2017:09:48:44.987599418 -0400] - WARN - log_update_accesslogdir - Can't open file %s. errno %d (%s)
Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]:  - /var/log/dirsrv/slapd-DOMAIN-LOCAL/access[27/Oct/2017:09:48:44.987658826 -0400] - ERR - dse_read_one_file - The entry cn=config in file /etc/dirsrv/slapd-DOMAIN-LOCAL/dse.ldif (lineno: 1) is invalid, error code 53 (Server is unwilling to perform) - Cannot open accesslog directory "/var/log/dirsrv/slapd-DOMAIN-LOCAL/access", client accesses will not be logged.
Oct 27 06:48:45 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:45.014574217 -0400] - ERR - init_dse_file - Could not load config file [dse.ldif]
Oct 27 06:48:45 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:45.014638429 -0400] - ERR - setup_internal_backends - Please edit the file to correct the reported problems and then restart the server.
Oct 27 06:48:45 ipa001.domain.local systemd[1]: dirsrv: Main process exited, code=exited, status=1/FAILURE
Oct 27 06:48:45 ipa001.domain.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dirsrv@DOMAIN-LOCAL comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 27 06:48:45 ipa001.domain.local systemd[1]: dirsrv: Failed with result 'exit-code'.
Oct 27 06:48:45 ipa001.domain.local systemd[1]: Failed to start 389 Directory Server DOMAIN-LOCAL..

Proposing as a Fedora 28 Beta blocker, per Basic criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" - domain controller is a release-blocking role.
Comment 1 Geoffrey Marr 2017-11-27 18:36:07 UTC 
Discussed during the 2017-11-27 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made as it violates the following blocker criteria:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed..." 

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-11-27/f27-8-blocker-review.2017-11-27-17.01.txt
Comment 2 Adam Williamson 2017-11-27 22:36:11 UTC 
This looks like it's fixed in current Rawhide. FreeIPA deployment now gets slightly farther and fails on something else. 389-ds startup no longer fails immediately with this AVC and these error messages.
Note You need to log in before you can comment on or make changes to this bug.